HACKER Q&A
📣 boxysean

Why use secrets managers?


I've come across a number of people recently who insist on storing their secrets (e.g., passwords, private keys, credentials) in a secrets manager such as HashiCorp Vault or AWS Secrets Manager. Intuitively, I believe this a good idea, but I would like to understand it better. Is this a new phenomenon, or something that’s been desirable in software since the advent of the industry? Where is this narrative coming from?

Is this idea driven by security? Has it been proven to be a safer paradigm than storing keys in a variety of systems?

Is the idea driven by management? Do folks charged with managing keys prefer to keep all of their keys under one roof so it's easier to keep tabs on, thereby reducing risk?

Is this idea driven by policy? Does GDPR or other mandatory or optional regulatory frameworks imply a customer should control their secrets centrally?

Is the idea driven by sales? Does Azure, GCP, AWS, and HashiCorp all have products that they earn additional $$$ with (pay-per-access and update), and are pushing their customers to use then?

I'm curious to hear what others think or know. Thanks!

  👤 nunez Accepted Answer ✓
It's driven by all of those things. It's a very old problem.

On a personal level, I like secrets managers (password managers) because I can create credentials on the fly and never have to remember about worrying things.

Before secrets managers, administrators following best-practices would store secrets (like passwords) in a secure database with restricted access and strict access control. (Less steadfast admins either shared common passwords, shared passwords through communication mediums like Lync or AIM, or relied on Excel spreadsheets.)

Rotating passwords required lots of coordination amongst teams; consequently, rotations often weren't done or, if they were, they were done significantly less frequently than they should have been.

Lots and lots of data breaches in the past were due to bad/old passwords that got leaked, either from someone gaining access to systems or from rogue (usually ex-) employees sharing secrets around.

Secrets managers solve for this by providing highly-distributed and secure databases for storing secrets along with robust authentication/authorization/access control and, most importantly, client APIs for accessing secrets securely. It is significantly cheaper to buy a secrets manager and getting employees to use it than it is to suffer fines from a data breach.

👤 Rd6n6
Your production servers end up needing a variety of secrets, whether db passwords, encryption keys, access tokens, or whatever else. You want to be able to set these automatically, but don’t want to hard code any of it or have it appear in your git repo. Sometimes you have to rotate credentials too. There are a lot of ways to get this wrong and leak your credentials, or have a server/service fail to get the correct one. What do you do?

It’s just not always clear how best to do this for a given project. A secrets manager is just a program designed and marketed to help make this easier. It would be weird if there weren’t software trying to help with something like this

It may or may not work for you. It’s like chef vs bash scripts: I prefer bash scripts, but many teams enjoy using chef

👤 joaofs
Besides delegating the secrets protection to entities that do it well, key rotation is a major benefit to ensure that in the likely event your credentials are leaked (either due to malpractice or a vulnerability) the attack surface will be shortened by the time they can be used by.
👤 1123581321
Secrets management is a problem that was encountered often enough on an ad hoc basis that common approaches became products over time. Dealing with it is inevitable given a certain company size, application complexity and regulatory overhead.

A promising trend is secrets automation moving downmarket. 1Password, for example, has a very accessible secrets product that connects to the same place small teams of non-developers can use to store credit card numbers and analytics passwords. I would expect very good, effectively free solutions to exist within the next several years.